- Clear and easily accessible statements of its practices and policies;
- the type of personal information collected;
- the purpose of collection and usage of such information;
- disclosure of information and sensitive personal data as provided under the Rules; and
- reasonable security practices and procedures in place to keep information secure.
Prior consent of the user is required for the collection and disclosure of sensitive personal data or information.
In addition, the company must implement security standards and practices and have a comprehensively documented information security programme and security policies that contain managerial, technical, operational and physical security measures that are commensurate with the information assets being protected. One such standard referred to in the Rules is the International Standards- IS/ISO/IEC/ 27001- on “Information Technology Security Techniques”.